By Dan Hebert, PE, Senior Technical Editor
Proprietary access means that a company establishes a secure link between its machines in the field and its home office by using dedicated communications hardware. System integrator Prism Systems uses security modules to establish connections to remote systems, such as a natural gas compressor.
"Over the years we've used a number of methods to support remote sites," explains Keith Jones of Prism. "If the end system is primarily software-based—such as an HMI, web application or database application—then a web-based software solution works well. We use Citrix to establish a remote support session to a PC at the customer's site. This allows us to take control of the PC and work to resolve issues."
But for remote access to a PLC, Jones says that solution doesn't work well. "First, you must have a PC at the remote site connected to both the Internet and to the PLC. This never is recommended because it creates serious security issues. Second, the remote PC must have the development software installed on it, and this is a licensing headache we prefer to avoid."
Instead, Prism uses Siemens industrial security modules for PLC access. "This is a hardware solution that allows us to install a special security module at the customer's location," he explains. "This module has two Ethernet connections—one for the controls network and another for a network with Internet access. We have a second module installed at our office. When we configure the modules, we use a security configuration tool that forms a permanent VPN tunnel between these two devices."
This configuration provides a secure connection from Prism's office to the remote location with a minimum of configuration. "Since this is a hardware device built specifically for secure connections, we can install it with confidence that it will provide a high degree of protection."
Once the VPN connection is established, Prism can connect to PLCs as if they were at the site. "The PLC software is installed on our computers and connects to the remote PLCs over standard Ethernet. Typically, we see no performance issues with the industrial security modules and find that we truly can support the sites without having to travel."
Another advantage to this solution is that Prism can restrict access on both sides to specific devices. "We can configure the modules to pass data between specific MAC addresses to restrict connectivity to only our modules," Jones explains. "The device records all network activity, so the customer has logs of who connected when and for how long."